My name is Piotr Duszyński and this topic is about active defence in practice. I will
go quite rapidly through the slides because I have quite a lot of them. So keep your shoes
on and, okay, let's start. So, basically, shortly about me, I'm a security consultant
at TrussWaste by the labs. Basically, I enjoy security and among other things, but let's
move to another slide. So this presentation is about the results of my private research
of using active defence in practice. The first part will be about the new technique that
I have developed basically to slow down your attackers, to keep them from staying ‑‑
keep them out from staying low profile while they analyse your system and providing them
as little information as possible. So, basically, I will go quickly through the slides. So,
that's my second part. The second part will be example‑based and I will present you
new attacks for the software that I have taken from the Internet. The software that's used
for scanning and exploiting your systems. So, basically, at the end, there will be
a POC demo for one of the well‑known Portuguese scanners. Hopefully this will be useful for
you like it, so basically we can start with the first part. This part is mainly focused
on the reconnaissance phase, so basically the most important part of every reconnaissance
phase is the port scan. I have taken on my target Nmap because we know it's the most
popular tool, so basically it's quite possible that somebody will be using it to scan your
system. Here we have a typical example where somebody is trying to scan your system, he
gets all of the information, all of the running services within an instance, and, yeah, that's
not exactly what we would like to share with our, let's say, offenders. Basically this
information can be used as another step to carry out some more sophisticated attacks.
So I thought, what would be the most ‑‑ the worst case scenario for a person scanning
or trying to get a view of running ‑‑ of your running services on your system. So
basically what if, for example, all of the ports were open, and what if on every port
there was actually a valid or it appears to be a valid service listening. And the attacker
has to basically, as usual, get a view of all running services on your remote system.
So basically, I'm going to go to the next slide.
I wrote this tool which is proof of concept and still work in progress that basically
implements that ID.
So when you want to get a full view of the remote system, like, you know, you go through
all of the ports, try to get all of the services identified, well, your attacker will need
a lot of patience because as I've seen, basically, as I've tested, all of the ports will be open.
He will have to send, like, about 120 megabytes of data and scan will take approximately ‑‑
STOP TALKING.
So we have a tradition at DEF CON.
First time speakers need to do a shot on stage, let's give them a round of applause for getting
selected.
Cheers, everyone.
Thanks for coming.
Thank you.
Thank you.
Now we have to see if you can pick up where he left off in the technical talk.
You guys judge how well he does.
I'm from Poland.
Come on.
It's just one shot.
So coming back, yeah.
So basically you get ‑‑ our attackers get nice juicy output, 65,000 or more valid
services.
Identified by Nmap.
Of course, I focus on Nmap, but basically it can be any other port scanner, but since
it's so popular, so why not that, too?
If you go through the listing, you can see different services, like Telnet, there's
even a back door, if you can see.
So basically, among that, there is somewhere probably your service running, which is valid
and could be possibly exploited.
But yeah, try to find it.
It's not so easy, I guess.
And somewhere in the ‑‑ when the attackers go through your service scan, they can find
a hidden message.
So basically ‑‑
Yeah, you can put any ASCII art there.
So also, the authentication results are a bit ‑‑ yeah.
It's strange.
For example, you can see that the real operating system was actually Linux, 3.2.
Here you have, like, unsure results, plus, you know, Unix, Windows, Linux, Solaris.
You don't know what it is.
Additionally, which is actually the part ‑‑ the second part of the presentation, you can
also control certain fields which can help you with exploitation of a particular software.
So yeah.
Nmap.
There are similar results.
All of the port scanners.
Some of the ports are open.
Some of them are unidentified.
Yeah.
So what are the conclusions?
Basically, the stealth scans are no longer helpful with this technique because if all
of the ports are open, then basically you can make a connection.
If there's an open port, then there's a service running, all of them are open.
So yeah.
Also, authentication is a bit more challenging.
Yeah.
It's ‑‑ it also forces your attackers to generate a huge amount of data.
Of traffic.
So basically you can easily detect them or easier ‑‑ it's easier.
Yeah.
For service probes.
And, of course, it adds some frustration to your offenders.
Some might say that it's a security by obscurity.
But as far as ‑‑ if only it works, you know, it's ‑‑ that is the point.
I don't know if you can see the fish there, but it's there.
Yeah.
So ‑‑ but I'm sure that also you are thinking, like, okay, fine.
But I'm sure I can find some kind of bypass.
So for the ‑‑ that's also the way I was thinking.
So basically I'm saying maybe some of your questions.
There's no trivial way to detect false signatures apart from using some kind of protocol probes.
IP fragmentation and other network activation techniques will not work because it goes through
the kernel to the user space program they have written.
So basically you can use fragmentation for any layer that you want.
It will anyhow be assembled at the end.
The only thing that will work is actually the full connect TCP, but it's not a mistake in the idea.
It's just that every software is actually vulnerable to this.
I've made some tests.
You can always try to mitigate this by using some of the ‑‑ of the two parameters or just try to use IP tables with traffic shaper.
Also if you have any ideas, you know, for the bypass, send them to the mailing list.
I'll try to ‑‑
I'll try to fix the software or, I don't know, implement your ID.
Yeah.
Just shortly about the port pool.
It's a user space software.
It doesn't require any root privileges, no kernel modules.
It just binds to one port per instance.
And then you just configure it through IP tables by redirecting some of the ports that you want to spoof to local host.
Yeah.
Okay.
Let's go to the good part.
Which is practical exploitation of your offender's toolbox.
I don't know if you have noticed maybe the output here is not very clear.
But with Nmap you can control certain fields, like, for example, the version fields, host fields.
That gives you a nice attack vector possibilities.
So it went to the Internet.
Looked for Google.
We've Googled for some software that could be exploited with that.
And basically the first example is ‑‑ okay.
It's still anonymous because the author hasn't responded to me.
Basically if you set up on port spoof a particular payload, like on any port, and somebody will use Nmap to scan your system, then generate a report.
And basically you are able to inject some JavaScript code into his port.
And that's the browser, let's say, context when he will be browsing the reports on his computer.
There's actually a nice thing about it.
Because, for example, if he launches Safari and goes through the results, basically same origin policy doesn't apply for file query handlers.
Actually my friend told me this one.
Okay.
So there's a simple exploitation vector for this one, like port 17.
You can have one of them.
The next example is like Nmap.
So just ‑‑ so we don't stick to Nmap all the time.
It's just, you know, proof of concept.
You can basically exploit, for example, the McAfee super scan.
It was fixed, I think, a few days ago.
But basically if anyone would scan your system with this particular tool, later it generates a report.
And then you will be able also to inject JavaScript code into his browser context.
Later you can, for example, use B for any other tool to do some post exploitation.
It really depends on you what you are going to do.
Yeah.
This is actually a real exploit from the Internet.
So I don't know if you can see the exact line.
But it's here.
Basically we control the content of the storage file, which actually is retrieved from one of the ports.
So what happens here is if we set up like payloads, for example, who am I on port 80, which is actually the ‑‑ which the port ‑‑ the export will connect.
Well, if somebody will launch the exploit against your system, he will get an additional context, which is root.
Okay.
So basically you are able to execute or to do a command injection in somebody's shell.
If somebody is launching, for example, an exploit against your system.
It's nice about this.
You can also create, for example, a weaponized version of this ‑‑ of this ‑‑ for this payload.
But I won't go through all of the details here.
Because, I mean, for example, if you want to exploit ‑‑ if you want to exploit a system, you can do that.
There's this particular line that you have evaluation of the file content.
And basically you have to go around some issues.
Like you cannot use spaces.
You can't use apostrophes.
So basically this should be in the conference materials if you want to use it later.
But the result is that basically if you set up such payload on one of your ports, yeah, next time when somebody will launch the exploit against your system.
You won't only get who am I output.
But you will be able to, for example, download his whole root directory.
Another example is taken from the Autopwn script.
Which is nice because Autopwn scripts go usually through all of the ports.
They try to exploit all of the possibilities.
So basically if you have, like, different payloads on every port, some of them might hit that particular vulnerability.
And you will be able to exploit your attackers, too.
In this case, we have, again, and this is a real line of code.
I don't know if you see the vulnerability.
It's pretty obvious.
Yeah.
And, again, what a surprise.
Who am I will work.
Which will result in OSCOM injection again.
What you can do with this?
And what are the conclusions for the current state of the security?
Because from what I've seen on the Internet in different tools, different scanning software, most of them, not all.
But most of them are exploitable with simple payloads.
Like, for example, who am I?
Or any other escaping sequences.
Especially Autopwn tools used by script keys or I don't know who.
But, yeah, if they launch the type of script against your system.
Then basically you can also try to.
I mean, it's an aggressive honeypot because you can create different payloads for every port with different escaping sequences.
Then it's up to you which command you will inject.
And if you want to find, for example, more vulnerable software, just go to Google.
The ones that I found is actually a top of a mountain.
Ice mountain.
I mean.
Again, many scripts are vulnerable.
You can use just your imagination while creating some payloads.
So, in this case, I'm sure you'll find something.
Yeah.
In the end, I wanted to show you a nice proof of concept demo for NMAP, official NRC script.
Which, again, proves the concept.
It's nothing against the tool itself.
Okay.
All right.
Let's try it.
All right.
So, let's see if we can do this.
All right.
So, now we don't know where it's going.
Now we don't know what it is.
It's a red dot.
This is a way to move a file out of the script.
All right.
Can you see it?
Yeah?
No?
Okay.
No, really?
Do an interpretive dance.
Right.
In front here?
You can see it?
Yeah.
Amazing.
Yeah, okay.
Then I'll tell you.
So, basically, first screen, you might not see, we set up a report spoof tool along with
a meterpreter.
Second one, we scan the remote system, want to check, actually, what's on the port 80.
You can see that there's an Apache, HTT, IBM, Lotus domino in the old version that's exploitable.
So basically what we can do ‑‑ so, yeah, here is a reverse ‑‑ this is a reverse
handler on the metasploit.
This is the latest NMAP version, 6.25.
So if you have that, it's still vulnerable.
And this is the exact HTTP domain and password script, which basically will result in a remote
arbitrary file upload.
So if you launch that against, for example, the system running port spoof, you'll be able
to upload an arbitrary file, overwrite any file that's accessible with NMAP privileges.
In this case, I have written the script itself.
So next time, because someone might think that it's strange that there's some strange
results in the NMAP output.
Okay.
So next time somebody will launch the particular script with the same parameters, yeah, you'll
get pwned.
You will get a remote ‑‑ reverse metaproter.
I know the quality is a bit low.
But if you want ‑‑ if you want to ‑‑ if you want to use the NMAP, you can use the
Just go to the main website.
You can view it online.
I'll change ‑‑ I'll upload it in a second.
Sorry for this.
I thought it would be visible.
At the end, yeah.
So yeah.
Thank you for your time and for coming.
I hope you enjoyed it.
